b'                    AUDIT OF SBA\'S PROCESS FOR COMPLYING\n                    WITH THE FEDERAL MANAGERS\' FINANCIAL\n                          INTEGRITY ACT REPORTING\n                                REQUIREMENTS\n\n                              AUDIT REPORT NUMBER 4-34\n\n                                       JULY 29, 2004\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC \xc2\xa7 1905 and\nmust not be released to the public or another agency without permission of the Office of\nInspector General.\n\x0c                       U.S. SMALL BUSINESS ADMINISTRATION\n                           OFFICE OF INSPECTOR GENERAL\n                                Washington, DC 20416\n\n                                                                    AUDIT REPORT\n                                                           Issue Date: July 29, 2004\n\nTo:           Thomas A. Dumaresq                           Report Number: 4-34\n              Chief Financial Officer\n\n              Michael J. Pappas\n              Associate Administrator for Field Operations\n\n\nFrom:         Robert G. Seabrooks [FOIA Ex. 6]\n              Assistant Inspector General for Auditing\n\nSubject:      Audit of SBA\'s Process for Complying with the Federal Managers\'\n              Financial Integrity Act Reporting Requirements\n\n\n       We completed an audit of the process that SBA has developed in order to comply with\nthe Federal Managers\' Financial Integrity Act (FMFIA) reporting requirements and found that\nSBA needs to develop more effective procedures for compliance with FMFIA.\n\n\n                                        BACKGROUND\n\n        In 1982, Congress passed FMFIA which requires agencies to develop cost-effective\ninternal accounting and administrative controls. These controls are intended to help ensure that\nan agency\xe2\x80\x99s (1) obligations and costs comply with applicable laws; (2) funds, property, and other\nassets are safeguarded from waste, loss, or mismanagement; and (3) revenues and expenditures\nare properly recorded and accounted for. The Chief Financial Officers Act of 1990, requires the\nChief Financial Officer (CFO) to develop and maintain internal controls within the Agency.\n\n        FMFIA tasked the General Accountability Office (GAO) and the Office of Management\nand Budget (OMB) to issue agencies guidance to assist them in establishing, assessing, and\nreporting on internal controls. As a result, GAO Standards for Internal Control in the Federal\nGovernment (GAO Standards), was issued to provide agencies an overall framework for\nestablishing and maintaining internal controls and OMB Circular A-123, Management\nAccountability and Control (OMB Circular A-123), was issued to provide agencies specific\nrequirements for assessing and reporting on internal control.\n\x0c        Section 2 of FMFIA requires the head of each agency to annually evaluate their agency\'s\ninternal controls and report to the President and Congress on whether those controls comply with\nthe GAO Standards. The agency head must include in the report any identified material\nweaknesses in the internal accounting and administrative controls as well as a plan for correcting\nthose weaknesses. A material weakness is a deficiency in internal control that the Administrator\ndetermines to be significant enough to be reported outside the agency.\n\n        To satisfy this reporting requirement, SBA\xe2\x80\x99s Administrator certifies in SBA\'s\nPerformance and Accountability Report (PAR) whether the Agency\xe2\x80\x99s internal controls are\nachieving their intended objectives in accordance with applicable requirements. This\ncertification, referred to in this report as the \xe2\x80\x9cAdministrator\xe2\x80\x99s assurance statement,\xe2\x80\x9d is based on\nthe following process as represented in the FY 2002 PAR.\n\n        District and headquarters managers employ various assessment tools to assess their\ninternal controls. They submit assertion letters to the Office of the Chief Financial Officer\n(OCFO) and the Office of Field Operations (OFO) on the status of their respective organization\xe2\x80\x99s\ninternal controls. These assertion letters also address any corrective actions the managers have\ntaken with respect to weaknesses identified by GAO and the Office of Inspector General (OIG).\nCFO and OFO then review the assertion letters to ensure any areas of concern noted by the\nmanagers are incorporated into SBA\xe2\x80\x99s internal control process and determine whether all\noutstanding audit issues were adequately addressed. OFO provides comments to OCFO based on\ntheir review of the assertion letters from district managers.\n\n         OCFO is responsible for formulating the Administrator\xe2\x80\x99s assurance statement. Based on\nthe letters from OFO and the headquarters offices, OCFO drafts the Administrator\xe2\x80\x99s assurance\nstatement. The Administrator then certifies whether or not the Agency\xe2\x80\x99s controls are meeting\ntheir intended objectives in accordance with FMFIA and relevant GAO and OMB criteria. In\nFY 2002 and FY 2003, the Administrator provided a \xe2\x80\x9cqualified\xe2\x80\x9d statement of assurance due to\none financial management related material weakness in FY 2002 and two weaknesses in\nFY 2003.\n\n                                  OBJECTIVES AND SCOPE\n\n        The overall objective of this limited scope audit was to evaluate the adequacy of SBA\xe2\x80\x99s\nprocess for assessing and reporting on the effectiveness of its internal controls in accordance\nwith section 2 of FMFIA, OMB Circular A-123, and the GAO Standards. The specific\nobjectives were to (1) determine what policies and procedures SBA had implemented to ensure\nthat SBA managers are meeting specific objectives of FMFIA; (2) assess the adequacy of the\nprocesses used by SBA to develop and implement appropriate controls, assess risks, improve\ninternal controls, and report annually on the adequacy of its internal controls; and (3) determine\nthe adequacy of procedures SBA used for gathering, assessing, summarizing, and reporting the\ndata provided by its program and district offices for the development of the Administrator\xe2\x80\x99s\nstatement of assurance. We did not perform an audit of SBA\'s internal controls, including\ncontrols associated with the Agency\'s accounting system, in accordance with the GAO Standards\nand OMB Circular A-123. Our purpose was to focus solely on the FMFIA assessment and\nreporting process.\n\x0c        To accomplish the objectives, we reviewed applicable laws and regulations including\nFMFIA, OMB Circular A-123, and the GAO Standards. We also reviewed SBA\xe2\x80\x99s internal\npolicies and procedures including applicable SOPs, procedural notices, PARs and its internal\ncontrol intranet website. Additionally, we judgmentally selected and interviewed responsible\nrepresentatives from nine oversight, program and district offices as detailed in the table below.\n\n                       Sampled          Total\n          Office      Population      Population                Selected Offices\n                                                     Office of Entrepreneurial\n        Oversight         2               4          Development and Office of\n                                                     Management and Administration\n                                                     Office of Women\'s Business\n                                                     Ownership, Office of Financial\n        Program           3               21\n                                                     Assistance, and Office of Surety\n                                                     Guarantees\n                                                     Washington Metropolitan Area\n                                                     District Office, Baltimore District\n        District          4               80\n                                                     Office, Philadelphia District Office\n                                                     and Richmond District Office.\n\n       We also reviewed the sampled offices\', OCFO\'s, and OFO\xe2\x80\x99s procedures for identifying\nand assessing internal controls, collecting data and summarizing the results for the\nAdministrator\xe2\x80\x99s FY 2002 and 2003 FMFIA assurance statements.\n\n       Fieldwork was performed in Washington, DC and at selected district offices from June\n2003 to April 2004. The audit was conducted in accordance with Government Auditing\nStandards.\n\n\n                                       AUDIT RESULTS\n\n       We determined that SBA has not established and maintained an effective process for\nensuring SBA\'s compliance with FMFIA\'s annual internal control assessment and reporting\nrequirements. We specifically concluded that:\n\n       1. SBA needs to more effectively communicate its FMFIA assessing and reporting\n          requirements,\n       2. SBA\'s policies and procedures regarding internal control assessment are not\n          sufficient,\n       3. Management is not performing complete risk assessments of their respective offices\n          in accordance with regulations,\n       4. OCFO needs to take a more active role in monitoring the FMFIA reporting process,\n       5. SBA\'s FY 2002 PAR regarding the Agency\'s internal control process contained\n          inaccurate information, and\n       6. SBA has a potential material weakness related to its FMFIA internal control\n          assessment and reporting process.\n\x0c        SBA\'s lack of effective procedures for assessing and reporting on internal controls in\naccordance with FMFIA in itself is a potential material weakness. If not corrected immediately,\nthis condition should be reported as a material weakness to the President and Congress in SBA\'s\nFY 2004 FMFIA assurance statement.\n\n\nFinding 1: SBA Needs to More Effectively Communicate its FMFIA Assessing and\n          Reporting Requirements\n\n       The process for ensuring SBA\'s compliance with FMFIA\'s annual internal control\nassessment and reporting requirements needs to be communicated more effectively throughout\nthe Agency. We found that:\n\n       \xe2\x80\xa2   Sampled SBA managers were unclear as to their roles and responsibilities regarding\n           FMFIA.\n       \xe2\x80\xa2   Sampled managers were not aware of resources available to assist in the assessment\n           of their internal controls.\n       \xe2\x80\xa2   More than half of the required oversight and program offices did not provide\n           assertion letters to OCFO in FY 2003.\n\nThis lack of information impaired management\'s ability to accomplish their duties and possibly\nled them to submit inaccurate internal control assessments to OCFO on the strength of their\noffice\'s internal control structure. As a result, the Administrator may have released an inaccurate\nassurance of the Agency\'s internal control status to the President and Congress.\n\n       One way to help ensure SBA\'s compliance with FMFIA is to hold management\naccountable for the FMFIA process in their performance standards. A stronger understanding of\nthe importance of FMFIA by Agency management will help ensure the data provided in the\nannual assurance statement is accurate and complete.\n\nResponsible Oversight, Program and District Officials Were Unclear as to Their Roles and\nResponsibilities Regarding FMFIA.\n\n         Officials from one oversight office, three program offices, and one district office did not\nunderstand what FMFIA was and their role in the FMFIA process. Despite the lack of\nunderstanding about the process, four of these officials certified in assertion letters to OCFO that\ntheir offices had met the stated internal control objectives of their operations and did not report\nany material weaknesses. Additionally, during interviews, none of the sampled program offices\nwere able to go into specifics about the process they used to gather and summarize the\ninformation for the assertion letters. One program official did not even know their program\noffice was required to assess internal controls annually. As a result, there is no assurance that the\nletters submitted by those oversight, program and district offices were accurate assessments of\ntheir internal controls.\n\n     Our audit also found that OFO did not have a clear understanding of its role in SBA\xe2\x80\x99s\nFMFIA process. SBA\xe2\x80\x99s internal control procedural notices for FY 2002 and 2003 required that\n\x0cDistrict Directors (DD), Branch Managers (BM), and Regional Administrators (RA) forward\ntheir assertion letters to OFO, which was responsible for consolidating the information and\nforwarding a summary to OCFO. The representative handling the assertion letter in OFO for\nFY 2002 stated it was his understanding that OFO was to act merely as a bridge of information\nbetween the field offices and OCFO. He thought when a district office sent an assertion letter to\nOFO it was simply his job to forward it to OCFO. The representative did not review the letters\nor summarize the information into a statement for OCFO. As a result, OFO did not know the\ndistrict office\'s assessment of their internal control objectives and whether they reported any\nmaterial weaknesses. The representative stated this occurred because he misread the procedural\nnotice.\n\n       In FY 2003, OFO did review and summarize the assertion letters from the district offices,\nhowever, OFO did not provide the summarization to OCFO until after the draft assurance\nstatement had been submitted for review by OCFO. As a result, OFO\'s assertion was not used in\nformulating the draft assurance statement in FY 2003.\n\n        OCFO officials acknowledged the required process was not followed, however, they\nstated that in both FY 2002 and 2003, the assertion statements from the district offices were\nreviewed by OCFO prior to the release of the Administrator\'s annual assurance statement.\nTherefore, the submitted assertion statements from the district offices were considered when\nformulating the Administrator\'s assurance statement.\n\nSBA Needs to Better Educate Its Employees about the Resources Available for Assessing and\nImproving Internal Controls.\n\n        Although SBA has provided agency management and employees various internal control\nassessment tools via its internal control intranet website, we found that none of the sampled\noffices utilized these tools. As a result, Agency management and employees are not benefiting\nfrom the use of such tools when performing their annual internal control assessments.\n\n       In 1999, SBA set up the internal control website to implement an internal control\nframework within SBA. The website is very user friendly and provides internal control criteria\nand standards, information as to how the framework was being implemented into SBA, and\nprovides assessment tools such as an information technology risk assessment template, risk\nassessment template, control evaluation template and action plan template. OCFO provided this\nbeneficial information to Agency management and employees for their use in assessing and\nimproving their office\'s internal controls.\n\n         Our audit found, however, that of the nine sampled offices, five of the offices were\nunaware of the tools on the website, and the remaining four offices were aware of the tools, but\nstated they do not use them. This may have occurred because OCFO did not issue guidance in\nits informational, policy, and procedural notices regarding internal control to educate managers\nand employees about the tools and how they are to be utilized.\n\x0c        One tool provided on the intranet website that we believe should be utilized is the\ncorrective action plan template. OMB Circular A-123 states that corrective action plans should\nbe developed for all deficiencies identified through the internal control assessment process,\nwhether material or not. The template provided by OCFO includes steps that are to be followed\nto mitigate an identified problem. Each step is to have a due date, explanation of how the step\nwill improve the problem and a person designated to oversee the work. Our audit found that\nnone of the sampled offices questioned knew about the corrective action plan template available\non the intranet website. We believe that using the corrective action plan template will help\nensure that deficiencies are being mitigated effectively and efficiently.\n\nRequested Internal Control Assertion Letters Were Not Always Submitted\n\n        For FY 2003, only 14 out of 29 internal control assertion letters were submitted by\noversight and program offices to OCFO as requested by SBA\'s internal guidance. As a result,\nOCFO may have lacked sufficient data in developing the Administrator\'s FY 2003 internal\ncontrol assurance statement. Therefore, the assertion letter released by the Administrator in FY\n2003 may be unsupported and based on incomplete data.\n\n       In order to gather the information for the Administrator\'s annual assurance statement,\nOCFO released procedural notices in FY 2002 and 2003 requiring SBA management to submit\nan annual assertion letter regarding their respective office\'s internal controls. These statements\nwould provide the Administrator with information on accomplishments and alert him to actual\nand potential problems within the organization\'s internal controls.\n\n        The internal control procedural notice for FY 2003 did not include a list of specified\noffices that were to submit an assertion statement to OCFO, as it did in FY 2002. Therefore, we\nconcluded that for FY 2003, assertion letters were requested to be submitted by all managers to\nwhom the procedural notice was addressed. This included all Associate Deputy Administrators\n(ADA), RAs, DDs, Associate Administrators (AA), and Directors of preferred lenders program\n(PLP) centers and servicing centers. The procedural notice stated that RAs and DDs were to\nprovide their assertion letters to OFO and the Directors of PLP centers and servicing centers\nwere to provide their letters to the Office of Capital Access.\n\n        Thus, 29 managers were requested to provide assertion letters to OCFO. Of the 29\nmanagers, only 14 submitted letters to OCFO. This was a result of OCFO not clearly stating\nwhich agency officials were to submit assertion statements in the internal control procedural\nnotice for FY 2003. Consequently, SBA needs to more effectively communicate which\nmanagers are required to submit assertion letters and to whom they are to be submitted to.\n\n        Based on discussions with OCFO officials, they agreed that the procedural notice\nrequesting assertion statements did not clearly state which agency officials were to submit\nstatements directly to OCFO. They stated, however, that it was only intended that statements be\nreceived from the ADA level officials and their letters in turn would be supported by the AAs of\nthe program offices beneath them. Accordingly, they believe statements from the ADA level\nwill provide a complete assessment of the agency. We agree that sufficiently supported assertion\nstatements for the ADA level would cover part of the agency, however, offices that are not\n\x0cheaded by an ADA should be required to submit assertion statements to OCFO. Such offices\ninclude the Office of Disaster Assistance, Office of Veteran\'s Business Development and Office\nof the Chief Information Officer.\n\nSBA Management Should Be Held Accountable for Their Involvement in the FMFIA Process\n\n        Based on the issues presented in this report, we believe that SBA should do more to\nenhance the internal control environment within the Agency. This will ensure that Agency\nmanagers and employees are aware of the important role they play in developing, maintaining\nand assessing their office\'s internal controls. To help accomplish this, we recommend SBA\ninclude FMFIA related job performance standards in its performance appraisal system for\napplicable Agency managers and OCFO officials. We discussed the feasibility of this idea with\na representative from SBA\'s Office of Human Resources. It is our understanding that this can be\ndone as long as SBA clearly defines its expectations of managers with respect to FMFIA.\n\n       We believe that holding management accountable for their involvement in the FMFIA\nprocess would create a more positive and supportive attitude towards internal control.\nAdditionally, this would help ensure that managers are maintaining and assessing their internal\ncontrols and risks according to applicable criteria.\n\nRecommendations:\n\nWe recommend that the Chief Financial Officer:\n\n1A.    Develop policies and procedures for SBA managers that explain FMFIA and their\n       responsibilities regarding FMFIA. The policies and procedures should establish\n       guidelines for the evaluation by Agency managers of their systems of internal\n       accounting and administrative controls.\n\n1B.    Provide training to SBA management on the policies and procedures developed as a\n       result of recommendation 1A.\n\n1C.    Take actions to make Agency managers aware of the resources (i.e. intranet tools of\n       risk and internal control assessment) that are available on SBA\'s intranet website and\n       educate the managers on how to best utilize these resources in performing internal control\n       assessments.\n\n1D.    Work in conjunction with the Office of Human Resources to incorporate FMFIA related\n       job performance standards in the performance appraisals of selected SBA managers and\n       clearly define the standards for which managers are to be held accountable.\n\nWe recommend that the Associate Administrator for Field Operations:\n\n1E.    Work in conjunction with the Chief Financial Officer to inform all Regional\n       Administrators and District Directors about FMFIA and their responsibilities\n       regarding FMFIA.\n\x0cSBA Management\'s Response:\n\n        OCFO generally disagreed with finding 1 and related recommendations 1A and 1D in our\ndraft report. OCFO agreed with recommendations 1B and 1C. OFO agreed with\nrecommendation 1E.\n\n        OCFO believes that the cause for finding one is more accurately defined as a\ncommunication issue rather than SBA not having established and maintained an effective process\nfor reporting on internal controls according to section 2 of FMFIA. They requested that we\nchange the first sentence of finding one to reflect the idea that procedures for FMFIA compliance\nneed to be more adequately communicated.\n\n        OCFO disagreed with the section of finding 1 entitled, "Required Internal Control\nAssertion Letters Were Not Always Submitted." They stated that while the notice requesting the\nassertion letters was sent to 29 managers, it was not their intent that all 29 managers submit an\nassertion letter to OCFO. OCFO stated that their intent was to receive letters from only the ADA\nlevel, but they could ask their lower level management to provide assertion statements and use\nthem in their coordination, conclusion and summarization.\n\n        With respect to the section of finding 1 entitled, "Responsible Oversight, Program and\nDistrict Officials Were Unclear as to Their Roles and Responsibilities Regarding FMFIA,"\nOCFO agreed that OFO did not review the assertion letters submitted by the district offices and\ndid not submit a summary in FY 2002. However, OCFO felt that it was important to point out\nthat even though OFO had not reviewed the letters from the district offices, the district letters\nwere reviewed by OCFO.\n\n        OCFO also stated that in FY 2003 OFO did review and summarize the assertion letters\nfrom the district offices but it was also correct that OFO did not provide the summarization until\nafter the draft assurance statement had been submitted for review. OCFO further stated that\nOFO had verbally assured OCFO that none of the assertion letters from the district offices\ncontained any material weaknesses and OCFO had reviewed the letters prior to circulating the\ndraft assurance statement.\n\n       With respect to the section of finding 1 entitled, "SBA Management Should Be Held\nAccountable for Their Involvement in the FMFIA Process," OCFO believes that although the\nperformance standards do not specifically mention FMFIA, internal controls are covered in the\nPersonal Business Commitment Plans (PBCs) for Supervisors, Managers and Senior Executive\nService officials. OCFO believes that instead of modifying the current PBCs, OCFO should\nconcentrate on training those individuals to achieve a similar result. OCFO proposed that\nrecommendation 1D be eliminated. OCFO\'s response is included in its entirety as Attachment 1.\n\n       With regard to finding one and recommendation 1E, OFO agreed with the finding and\nrecommendation as stated in the report. In their response to the OIG, OFO points out that\nFMFIA is the primary responsibility of OCFO and throughout the report it should be represented\nas such. OFO\'s response is included in its entirety as Attachment 2.\n\x0cOIG Evaluation of Management\'s Response:\n\n        OCFO\'s planned actions are responsive to recommendations 1B and 1C. OFO\'s planned\nactions are responsive to recommendation 1E.\n\n        We agree with OCFO that the issues under finding 1 could be more accurately described\nas resulting from a communication problem rather than SBA having an ineffective process in\nplace for FMFIA compliance. In turn, we revised the first sentence to reflect that the FMFIA\nannual internal control assessment and reporting requirements need to be more effectively\ncommunicated throughout out the Agency.\n\n         In addition, while it may have been the intent of OCFO to only receive assertion letters\nfrom the ADA level, this was not clearly stated in the procedural notice requesting assertion\nletters. Accordingly, we believe that all ADAs and AAs should have submitted an assertion\nstatement in FY 2003.\n\n        We also believe that only receiving assertion letters from the ADAs would not be\nsufficient information to support the Administrator\'s assurance statement. While an assertion\nstatement provided by an ADA should be supported by the assertion statements from the AAs of\nthe program offices underneath that ADA, there are several offices within the agency that are not\nheaded by an ADA. Examples of these offices include the Office of Disaster Assistance, Office\nof Veterans Business Development, and Office of the Chief Information Officer.\n\n        We agree that not all 29 managers need to be required to submit assertion statements to\nOCFO if they fall under a supervisory manager who is required to submit an assertion statement\nto OCFO. We changed the wording in the finding to state that the 29 managers were requested\nto submit assertion statements and concluded that SBA needs to more effectively communicate\nwhich managers are required to submit assertion letters. We also included a paragraph in the\naudit report stating that receiving assertion statements from only ADAs would not be sufficient\nto support the Administrator\'s assurance statement as some program offices do not report to an\nADA.\n\n        We agree that OCFO reviewed the district offices assertion letters prior to the release of\nthe assurance statements in FY 2002 and FY 2003. Therefore, we added additional language to\nthe finding to clarify this point.\n\n       We reviewed the PBCs for Supervisors, Managers and Senior Executive Service officials\nand believe that internal control reporting is not sufficiently addressed in the PBC. We still\nbelieve that, if possible, PBCs for applicable Agency managers and OCFO officials should be\nmodified to include FMFIA internal control assessment and reporting elements. In turn, the\napplicable recommendation remains unchanged.\n\x0cFinding 2: SBA Has Not Developed Sufficient Policies and Procedures for the Agency\'s\n           Internal Control Assessment Process\n\n        OCFO has not developed sufficient policies and procedures for ensuring the Agency\'s\ncompliance with FMFIA. SBA\'s internal control SOP is outdated leaving SBA management to\nrely on a procedural notice as their guidance regarding internal control assessment. While a\nprocedural notice can be used for disseminating information throughout the Agency or as\ntemporary guidance, it should not serve as the only source of guidance regarding internal control\nassessment. As a result, SBA has not provided management sufficient permanent policies and\nprocedures to allow them to properly assess internal control, including providing management\nwith a definition of material weakness as it relates to SBA and its objectives.\n\nEffective Standard Operating Procedures for Internal Control are Outdated\n\n       SBA\xe2\x80\x99s current internal control SOP is outdated as it does not incorporate the current\nGAO Standards as well as provisions of other applicable laws. As a result, SBA management\nand employees do not have proper standards and guidance for establishing, maintaining, and\nevaluating the internal control systems within their offices.\n\n        In 2001, OCFO developed a revised SOP for internal control that updated SBA\xe2\x80\x99s current\npolicies. Draft SOP 00 02 3, Internal Controls, was sent through the appropriate channels for\nclearance, including review by the Office of General Counsel (OGC) and the Office of Inspector\nGeneral (OIG), but was never issued in final.\n\n        OCFO officials stated that SOP 00 02 3 was never issued in final due to reorganization of\nOCFO, the passage of the Sarbanes/Oxley Bill and the incorporation of comments from OGC.\nBecause draft SOP 00 02 3 was never finalized, SBA is still under the direction of SOP 00 02 2,\nwhich is outdated. SOP 00 02 2 was finalized in 1986 and does not include provisions from the\nChief Financial Officer\xe2\x80\x99s Act of 1990, Government Performance and Results Act of 1993,\nGovernment Management Reform Act of 1994, Federal Financial Management Improvement\nAct of 1996, Federal Information Security Management Act of 2002, OMB Circular A-123\nissued in 1995 and the GAO Standards issued in 1999. OCFO also stated that a new SOP is in\nfinal clearance and they anticipate issuance over the next 60 to 90 days.\n\nSBA Officials Did Not Have a Universal Understanding on What Weaknesses Should Be\nClassified as Material Weaknesses.\n\n       An important part of internal control assessment is the identification of reportable\nmaterial internal control weaknesses. The Administrator\'s annual internal control assurance\nstatement to the President and Congress is required to include any material weaknesses that are\npresent in SBA\'s internal control system.\n\n       When the nine sampled offices were asked how they defined material weakness, they\ngenerally provided the following four responses:\n\x0c               Definition of Material Weakness                Oversight   Program   District\n    Keeps the program from being able to perform its proper\n                                                                 \xe2\x88\x9a          \xe2\x88\x9a         \xe2\x88\x9a\xe2\x88\x9a\n    function and mission\n    Anything that effects the integrity of the program                      \xe2\x88\x9a          \xe2\x88\x9a\n    Determined based on money thresholds and the wasting\n                                                                 \xe2\x88\x9a                     \xe2\x88\x9a\n    of government funds\n    Higher level of program weakness than an auditor\xe2\x80\x99s\n                                                                            \xe2\x88\x9a\n    determination of a internal control weakness\n    \xe2\x88\x9a represents one office\'s response\n\n\n        While all of these responses may indicate that a material weakness exists, this shows that\nthere is not a universal understanding by Agency management on what deficiencies should be\nconsidered material weaknesses. Accordingly, Agency management in SBA\'s program oversight\noffices may be defining material weakness differently than the program offices they oversee.\nThis could lead to a material weakness not being properly identified at several levels and\ndisclosed to upper management and/or outside the Agency as appropriate.\n\n        We believe this is caused by a lack of internal Agency guidance on this matter. While\nSBA issues a procedural notice to Agency management annually regarding internal control\nassessments, this guidance is not detailed enough. The guidance states that material weaknesses\nare to be reported by agency managers in their assertion letters and references OMB Circular\nA-123 as the Agency\'s definition of material weakness. This circular does not give a clear\ndefinition of an internal control weakness; it merely states that a material weakness is a\ndeficiency that the agency head determines to be significant enough to be reported outside the\nagency.\n\n        Therefore, SBA should issue guidance which defines material weakness as it relates to all\nlevels within the Agency. The GAO Standards state that management is responsible for\ndeveloping detailed policies and procedures to fit their agency\'s operations. By providing\nspecific guidance on what the agency deems to be a material weakness, this will help agency\nmanagers determine if weaknesses such as those identified by the OIG as serious agency\nmanagement challenges and those identified by the OIG\'s independent auditors as a result of the\nannual financial statement audit, should be reported outside the agency.\n\n        To illustrate, the OIG noted in its FY 2002 and 2003 management challenges reports,\nseveral areas where SBA programs or activities pose significant risk. However, the\nAdministrator\'s assurance statement for FY 2002 did not include any of the challenges as\nmaterial, and in FY 2003, only weaknesses related to one of the challenges were considered\nmaterial. Without clear guidance, there is no assurance that Agency managers are giving proper\nconsideration to the results of OIG and other independent reviews when formulating their\nassertion letters.\n\n        We found that other agencies had developed definitions of material weakness specific to\ntheir agency. For example, the National Oceanic and Atmospheric Administration defines\nmaterial weakness as a serious problem that could significantly impair the fulfillment of an\nagency or component\'s mission, deprive the public of needed services, violate statutory\nrequirements, weaken safeguards against waste and loss or result in a conflict of interest. Also,\n\x0cU.S. Army White Sands Missile Range which provides quality test, evaluation, research, and\nother technical services to the Army and Department of Defense determines materiality by the\ndegree of impaired mission accomplishment, statutory violations, information security impact\nand public deprivation of Government services. Further, the Department of Interior formed a\nmaterial weakness team who developed criteria for defining a material weakness as it related to\ntheir agency.\n\nRecommendations:\n\nWe recommend that the Chief Financial Officer:\n\n2A.    Take appropriate action to revise, clear and issue draft SOP 00 02 3 within 120 days and\n       include the policies and procedures described in recommendation 1A.\n\n2B.    Clearly define material weakness as it relates to SBA and its programs in SOP 00 02 3\n       and define material weakness at the different levels of management within the Agency.\n\n\nSBA Management\'s Response:\n\n        OCFO generally agreed with finding 2 and recommendations 2A and 2B, but disagreed\nwith the reasons listed in the draft report for why SOP 00 02 3 had not been issued. OCFO\nstated that there has not been a "loss of motivation" to get the SOP issued in final, but rather the\nSOP was delayed due to a number of factors including: the reorganization of OCFO, passage of\nSarbanes/Oxley, and the incorporation of comments from the Office of General Counsel.\nAdditionally, they believe it is unfair that we represent in the report that OCFO has to devise a\nplan of action regarding internal control implementation before issuing an updated SOP. They\nbelieve that SBA already has an active internal control system.\n\n        They also noted that the new SOP would be in final clearance and anticipate issuance\nover the next 60 to 90 days. In addition to the SOP finalization and issuance, OCFO stated they\nwould be issuing more detailed informational notices and providing management training to\nmanagers throughout the Agency. In conclusion, OCFO asked that we remove paragraphs 3 and\n4 and indicate that a new SOP is in draft.\n\n        OCFO agreed with the section of finding 2 entitled, "SBA Officials Did Not Have a\nUniversal Understanding on What Weaknesses Should Be Classified as Material Weaknesses,"\nand stated that more detailed information regarding material weakness would be beneficial.\nOCFO also wanted to ensure that the report clearly states that the definition used by the Agency\nis identical to the definition as it is stated in OMB Circular A-123.\n\x0cOIG Evaluation of the Management\'s Response:\n\n        We have removed the sentence regarding what was stated by an OCFO official in an\ninterview regarding the loss of motivation to issue SOP 00 02 3 in final due to a change in\nleadership in the Administration and OCFO. The sentences regarding the current SOP being\noutdated and the applicable provisions not being included in the SOP are statements of fact and\nwill remain.\n\n        We also removed the sentence that stated OCFO officials in a recent interview\nacknowledged that they have taken no action to get a current SOP finalized and would not do so\nuntil OCFO had devised a plan of action regarding internal control implementation. We instead\nstated that a new SOP is in final clearance and OCFO anticipates issuance over the next 60 to 90\ndays.\n\n        With respect to ensuring the report reflects that the Agency\'s definition of material\nweakness is identical to the definition in OMB Circular A-123, we added additional wording to\nthe finding in order to clarify that point.\n\n\nFinding 3: SBA is not Performing Complete Risk Assessments in Accordance with\n           Applicable Requirements\n\n         SBA management is not performing a complete risk assessment of their respective offices\nin accordance with the GAO Standards. In FY 2003, all seven of the sampled program and\ndistrict offices stated that they performed a systematic risk assessment. The two sampled\noversight offices, however, did not perform risk assessments. We reviewed the documentation\nprovided by the sampled offices to support their risk assessment and found the assessments to be\nincomplete. Risk assessment is a preventative process, allowing management to identify\npotential weaknesses that impede the ability to accomplish program or operating objectives\nbefore they occur. By not performing complete risk assessments, SBA may develop weaknesses\nthat could have be deterred had the assessment been properly performed.\n\n       Annual risk assessments are an integral part of evaluating an agency\'s internal controls.\nRisk assessment can be broken down into a four step process. According to the GAO Standards\nan agency must:\n\n   1. Develop clear and consistent objectives, such as those defined in the strategic and annual\n      performance plans. (Example - upgrade office\'s management information systems by\n      March 31, 2004)\n   2. Identify all risks, both internal and external, that would keep the office from achieving\n      the clear and consistent objectives. (Example risk - office will be unable to properly\n      orient and train the employees using the upgraded system by March 31, 2004)\n   3. Analyze each risk for its effect, significance and likelihood of occurrence.\n   4. Decide on how to manage the risk and what actions should be taken.\n\x0c        This process is performed to ensure that current internal controls are sufficient to meet\nnewly developed goals and objectives. If risks are identified, management has the opportunity to\ncreate new internal controls to ensure that the goals and objectives can be met.\n\n        As part of the assertion letter preparation process for FY 2003, SBA managers were\nasked in the procedural notice regarding internal control assessment to refer to the assertion letter\ntemplate on OCFO\'s intranet website. The assertion letter template is an outline of what the\nassertion letter should include and how it should be formatted. The template has a specific\nsection regarding the performance of systematic risk assessments. OCFO gave managers two\noptions to complete a systematic risk assessment. Managers could complete an Agency\ndeveloped internal control checklist or perform their own management analysis.\n\nInternal Control Checklist\n\n        SBA developed the internal control checklist by incorporating the results of a mapping\nprocess that was performed on all program offices and most district offices between 1999 and\n2001. Mapping was a formal, documented process in which employees judged the effectiveness\nof the processes in their respective offices to meet their objectives. The checklist is a 49 page\ndocument that breaks down various functions performed within SBA (e.g. loan process, surety\nbond guarantee, and 8(a) business development review). The functions are then broken down\ninto detailed step-by-step activities that need to be completed in order to carry out the task.\n\n        Of the 69 district offices and 14 program offices that provided assertion letters in\nFY 2003, 59 district offices and 1 program office stated in their assertion letters that they\ncompleted the internal control checklist as their risk assessment. Of the nine offices in our\nsample, all four district offices and one program office completed the checklist. We reviewed\nthe internal control checklist to determine if it complied with the four steps of risk assessment\naccording to the GAO Standards. It complied with one step, partially complied with two steps,\nand did not comply with the remaining step as shown on the following table.\n\n         Risk Assessment Step      Compliance                  Reasons for non-compliance\n\n   1   Goal development          Yes\n   2   Risk identification       Partially        The checklist does identify internal risks by identifying\n                                                  required activities within the tasks that are not being\n                                                  performed by an office. The checklist, however, does\n                                                  not identify any external risks. It is important to note\n                                                  that as new functions or tasks are introduced into the\n                                                  Agency the checklist needs to be updated and the\n                                                  activities listed.\n   3   Risk analysis             Partially        The checklist does not provide a step for analyzing a\n                                                  risk\'s occurrence and it possible effect. The checklist\n                                                  only estimates the risk\'s significance based on ranking\n                                                  each activity on a scale of 1-4, 1 being a significant\n                                                  problem and 4 not as significant.\n   4   Risk mitigation           No               The checklist does not require the user to create any\n                                                  mitigating plans or actions to prevent the risk from\n                                                  occurring.\n\x0c        While the checklist is a useful tool for program and district offices to use for risk\nassessment, we determined that it did not allow for a complete risk assessment to be performed.\nFor steps three and four, we asked that the offices provide supporting documentation that these\nsteps were performed. None of the offices were able to provide the documentation. They stated\nthat the remainder of risk analysis and all of risk mitigation were performed through\nmanagement meetings and none of these meetings were documented. As a result, there was no\ndocumentation to support that complete risk assessments had been performed in accordance with\nthe GAO Standards.\n\nManagement Analysis\n\n      The other option given to managers for performing a risk assessment was to perform a\nmanagement analysis of their business process, functions and/or area. OCFO advised that the\nmanagers also gather information through management and staff interviews.\n\n         Of the 69 district and 14 program offices that provided assertion letters in FY 2003, 7\ndistrict offices and 7 program offices stated in their assertion letter that they performed\nmanagement analysis for risk assessment. Of the nine sampled offices, two program offices\nstated that they performed a management analysis for risk assessment. We reviewed available\ndocumentation provided by the program offices to support their management analyses to\ndetermine if they had performed a risk assessment according to the GAO Standards.\n\n        We determined that the program offices complied with the first step of risk assessment,\ngoal identification, according to the GAO Standards. Both program offices had goals and\nprojects listed in SBA\'s Scorecard (e.g. counsel 41,000 clients by September 30, 2004) which\ndirectly tied back to one of SBA\'s three strategic goals. The Scorecard is an SBA internal\ntracking system where oversight, program and district offices establish product and/or production\nrelated goals. The office then updates the Scorecard and tracks its progress in achieving those\ngoals throughout the year. The Scorecard tallies production and states whether the goal was or\nwas not accomplished.\n\n        Our audit found, however, that the program offices did not comply with the three\nadditional risk assessment steps of risk identification, analysis and mitigation. The\ndocumentation provided by the sampled program office to support their management analyses\nconsisted of reviews of program participants. These reviews were compliance reviews to\ndetermine whether the program participants were complying with applicable federal regulations,\nSBA SOPs, and other specified SBA guidance. These reviews did not address, assess, or\nmitigate risks that would keep the program office or program participant from achieving the\ngoals specified in the Scorecard.\n\n        As a result, we concluded that the management analyses performed by the two selected\noffices were not a complete risk assessment according to the GAO Standards. We believe that\nthis occurred because SBA management did not receive proper guidance on how to perform risk\nassessments and understand their importance in the internal control assessment process.\nFurthermore, such weaknesses in the internal control assessment process undermine the\nAdministrator\'s ability to provide an accurate and complete assurance statement.\n\x0cRecommendations:\n\nWe recommend that the Chief Financial Officer:\n\n3A.    Provide detailed guidance to the oversight, program and district offices to explain how\n       and when they are to perform and document a complete risk assessment according to the\n       GAO Standards.\n\n3B.    Update the internal control checklist as new functions are introduced into the Agency.\n\n\nSBA Management\'s Response and OIG\'s Evaluation of Management\'s Response:\n\n        OCFO agreed with finding 3 and recommendations 3A and 3B regarding actively\nmaintaining the internal control checklist and including information about risk assessment in the\ninternal control guidance. OCFO believes that through the implementation of the Loan\nMonitoring System, the Agency has made substantial progress in the area that may represent the\nlargest risk. OCFO\'s planned actions are responsive to recommendations 3A and 3B.\n\n\nFinding 4: OCFO Should Take an Active Role in Monitoring the FMFIA Process\n\n        SBA should take a more active role in monitoring the FMFIA process. Our audit found\nthat OCFO (1) did not ensure that all program office assertion statements were submitted timely,\n(2) did not ensure that all required program offices provided assertion letters, and (3) did not\nprovide feedback to management regarding their internal control assessments. As a result, there\nis no assurance that OCFO had adequate data to support the Administrator\'s assurance statement.\n\nManagers Did Not Submit Their Assertion Letters by the Required Deadline\n\n        For FY 2003, none of the 14 assertion letters received by OCFO from the oversight and\nprogram offices were received by the required due date. As a result, this may not have given\nOCFO the necessary time to perform a sufficient review of the information provided in the\nassertion letters before drafting the Administrator\'s assurance statement.\n\n        The internal control procedural notice, issued in FY 2003, required the assertion letters to\nbe completed and forwarded to the Chief Financial Officer by October 1, 2003. Seven of the 14\nletters were submitted in November, 5 letters were submitted in December, and 2 letters were\nsubmitted in January of the next year, including 1 letter which was submitted after the draft\nassurance statement had been circulated for clearance by OCFO to the OIG and OGC. OCFO\nneeds to ensure that the offices are providing their assertion letters in time for their review and\ninclusion in the Administrator\'s annual assurance statement.\n\x0cRequested Oversight and Program Managers Did Not Provide Assertion Letters\n\n        As presented in finding 1, in the section titled Requested Internal Control Assertion\nLetters Were not Always Submitted, 15 of the 29 requested oversight and program managers did\nnot provide an assertion letter in FY 2003. As a result, OCFO lacked sufficient data in\ndeveloping the Administrator\'s FY 2003 internal control assurance statement. The lack of\nprogram offices providing assertion letters shows that there is need for OCFO\'s active\ninvolvement in ensuring each requested program office submits their assertion letter so that the\nassurance statement is adequately supported.\n\nSBA Did Not Provide Feedback to Management Regarding Their Internal Control Assessment\n\n        Eight out of the nine sampled offices stated during interviews that they did not have any\ncommunication with OCFO during or after the FMFIA assessment process. The remaining office\nstated that they could not recall if they had been contacted by OCFO.\n\n        In order to help ensure that the assertion letters being provided by Agency managers are\nacceptable and fulfill the needs of the Agency, OCFO should routinely communicate with the\nAgency management throughout the assessment process. This communication should help\nOCFO determine whether Agency managers are conducting assessments timely, thoroughly, and\nin accordance with the applicable guidance. Also Agency management would be more likely to\ninquire of OCFO when they have a question about the assessment process.\n\n        To illustrate this point, a representative from one district office stated during an interview\nthat she had questions regarding the internal control checklist and how it is supposed to be used,\nbut did not know who in OCFO to contact. Another representative from the same district office\nsaid that even if they were to ask questions about the checklist it would cause too much chaos\nand it was not worth the headache. If OCFO provided and maintained contact with the\nresponsible Agency managers during the assessment process, this type of confusion should be\nminimized. Not having open communications with the program and district office regarding the\nassessment tools and assertion letter opens the possibility that management may not be using the\ntools properly and leads to inconsistencies in reporting.\n\n\nRecommendation:\n\nWe recommend that the Chief Financial Officer:\n\n4A.    Develop monitoring policies and procedures that will help ensure that the\n       Administrator\'s assurance statement is based on complete and accurate data.\n\x0cSBA Management\'s Response:\n\n       OCFO partially disagreed with finding 4 and the related recommendation. Even though\nOCFO is in agreement that the assertion letters were not received timely, they stated that when\nno response was submitted by a responsible ADA, AA or district director, there was a follow up\nprocess via telephone. OCFO also disagreed with the section of the finding entitled, "Required\nOversight and Program Managers Did Not Provide Assertion Letters." See management\'s\nresponse and our evaluation of management\'s response in finding 1. Additionally, OCFO\nbelieves that they supplied sufficient OCFO contact information in their internal control\nprocedural notice as the notice states that the CFO will be glad to answer any questions or\nprovide additional information.\n\n        In conclusion, OCFO reiterates that it is evident that training for management needs to be\nprovided, which they are going to provide in the near future. In addition to issuing a procedural\nnotice this year, OCFO will organize conference calls by regions to the field offices to reinforce\nthe message of the procedural notice and provide an opportunity for the district directors to ask\nquestions. These questions will be answered on a one-to-one basis and district directors will be\nencouraged to contact the Office of Analysis, Planning and Accountability (OAPA).\n\nOIG Evaluation of Management\'s Response:\n\n        We have removed the statement that OCFO did not follow up with management when\nthey did not provide their requested assertion letters by the due date and instead stated that\nOCFO did not ensure that all program office assertion statements were submitted timely. As far\nas having the CFO act as the primary contact for any assertion statement questions, it is apparent\nthat the program and district offices did not take advantage of that offer. We believe that OCFO\nas the responsible office for this process, should take a proactive approach in ensuring that\nrequested officials both understand the complete process and are properly using the tools\navailable.\n\n        We believe that providing training to management, actively communicating with\nasserting officials and dedicating a specific contact office within OCFO, are all steps in the right\ndirection. It is important to note that conference calls with the district directors will only\npartially solve the problem. OCFO needs to also talk to the program officials within the Agency\nto reinforce the message of the internal control procedural notice and provide program officials\nan opportunity to ask questions and speak with OAPA directly. We recommend that these\nmeetings not be exclusively held with the asserting official, but also the managers who are\nassisting in the internal control assessment and assertion statement writing process.\n\n\nFinding 5: SBA\'s FY 2002 Statement on Internal Controls Contained Inaccurate\n           Information\n\n       As discussed in finding 1, several of the Agency managers we interviewed were\nunclear as to their roles and responsibilities with respect to FMFIA. This confusion led to\nSBA including inaccurate information in SBA\'s FY 2002 PAR regarding the process used to\n\x0cgather the information for the Administrator\'s assurance statement. SBA stated in the PAR\nthat OFO reviewed the assertion letters from the district managers and ensured that any areas\nof concern noted by district managers were reported and trends were incorporated in the\nAgency\'s internal control efforts. SBA further stated that based on this review, OFO\nprovided comments to OCFO.\n\n        This statement is inaccurate. OFO stated they did not review the assertion letters\nprovided by the district offices and did not provide an assertion letter or similar document to\nOCFO during FY 2002 (see details in Finding 1). Despite the fact that OCFO did not receive an\nassertion letter from OFO, which would indicate that the aforementioned requirement had not\nbeen met, OCFO included a statement in the PAR regarding the assurance statement\ndevelopment process that was incorrect. This problem indicates a serious lack of controls within\nthe Agency to oversee the annual internal control assessment process.\n\n\nSBA Management Response:\n\n        OCFO generally agreed with finding 5 but believes that it would be more appropriate to\ninclude it as evidence that internal control procedures need to be better communicated\nthroughout the agency. They believe that because this was an issue in FY 2002 and was\ncorrected in FY 2003, that the issue does not merit being a finding and recommendation on its\nown.\n\nOIG Evaluation of Management\'s Response:\n\n        The finding addresses an issue that occurred during the time period covered by the audit\nand, therefore, the finding remains unchanged. As a result of the issue being corrected in FY\n2003, we have removed the recommendation.\n\n\nFinding 6: Potential Material Weakness Identified in the FMFIA Assessment Process\n\n        OMB Circular A-123 states that agencies need to plan for how the requirements of OMB\nCircular A-123 will be implemented throughout the agency and develop a written strategy to\nensure that appropriate action is taken throughout the year to meet the objectives of FMFIA.\nOMB Circular A-123 states that the absence of such a strategy may itself be a serious internal\ncontrol deficiency.\n\n        As it is apparent through the findings in this report, there are significant weaknesses in\nSBA\'s internal control assessment process. At the time of our exit conference, OCFO officials\nstated that they had designed a new group within their office to handle internal control matters\nand were considering implementation of a new internal control framework into the Agency.\nUntil such time that a new framework is developed and implemented, appropriate internal\ncontrols may not be in place to ensure the effectiveness and efficiency of the Agency\'s operations\nand compliance with FMFIA at this point in time. Therefore, SBA should consider reporting a\nrelated material weakness in the Administrator\'s FY 2004 internal control assurance statement.\n\x0cRecommendation:\n\nWe recommend that the Chief Financial Officer:\n\n6A.    Report the deficiencies related to the internal control assessment and FMFIA reporting\n       process identified by the OIG as a material weakness in the annual assurance statement\n       that is released in SBA\'s Performance and Accountability Report for FY 2004, unless all\n       recommendations included in this report are addressed before that time.\n\n\nSBA Management\'s Response:\n\n       OCFO disagreed with finding 6. They believe that based on the additional information\nand clarification provided in their response, the current issues existing within the internal control\nprocess do not rise to the level of a material weakness.\n\nOIG\'s Evaluation of Management\'s Response:\n\n        We recognize the accomplishments that OCFO has made and hope that as a result of this\naudit, improvements will continue to be made. However, if the recommendations stated in this\nreport are not addressed by the time the Administrator\'s annual assurance statement for FY 2004\nis published, we believe that the Agency should consider reporting a related material weakness.\nOf particular concern is the Agency\'s lack of adequate written policies and procedures regarding\ninternal control assessment and reporting according to FMFIA.\n\n\n                                            ***\n      These findings included in this report are the conclusions of the Office of Inspector\nGeneral\xe2\x80\x99s Auditing Division. The findings and recommendations are subject to review,\nmanagement decision, and corrective action by your office in accordance with existing\nAgency procedures for audit follow-up and resolution.\n\n\n        Please provide us your management decision for each recommendation within 30 days.\nYour management decision should be recorded on the attached SBA Forms 1824,\n"Recommendations Action Sheet," and show either your proposed corrective action and target\ndate for completion, or explanation of your disagreement with our recommendations.\n\n\n       Should you or your staff have any questions, please contact Robert G. Hultberg, Director,\nBusiness Development Programs Group at (202) 205-[FOIA Ex. 2].\n\n\nAttachments\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c'